Monday, June 3, 2013

Oracle on security fixes to Java

At the end last month, Oracle's lead Java platform developer left a blog post giving an overview of previous and upcoming security fixes to Java. While this focus on security is promising (and necessary if Java is not to lose significant traction), the actual number of security issues still being discovered is still staggering for a supposedly mature platform.

A key change to the Java security strategy revolves around the behaviour of Java in browsers: signed applets will not automatically be "unsandboxed". Further more, Oracle is reportedly phasing out the use of unsigned and self-signed applets, combined with improvements to check the revocation status of certificates. This latter change is potentially significant for developers (myself included) who have been "lazy" with signing their apps, but probably a necessary step in the long run. (However, it is still important to have in the back of one's mind that knowing somebody's identity does not necessarily reveal anything about their intentions...)

Oracle are also addressing the issue that companies are being put off using Java server-side because of the recent reports of security issues with Java in web browsers. Technologically speaking, many of these fears are probably unfounded. But from a business point of view (read: how many programmers will be using Java in the future), Oracle does apparently understand the need to address perceptions of security as well as actual security issues.

In the meantime, a significant proportion of web traffic nowadays is coming from devices and browsers that do not support Java. I suspect that for client-side applications, many developers have already begun to adopt alternative solutions in any case.

No comments: